Amortized Complexity of Information- Theoretically Secure MPC - PowerPoint PPT Presentation

Amortized Complexity of Information- Theoretically Secure MPC Revisited Ignacio Cascudo 1 Ronald Cramer 2 , 3 Chaoping Xing 4 Chen Yuan 2 1 Aalborg University 2 CWI Amsterdam 3 Leiden University 4 NTU Singapore CRYPTO, 22 August 2018

Secure multiparty computation (MPC) x 3 x 2 y = f ( x 1 , ... , x n ) x 4 x 1 .. . x n

Secret-sharing based MPC [ . ] : Linear secret sharing scheme over F q [ x 1 ] x 1 [ a ] x 2 [ x 2 ] ... ... [ y ] y = f ( x 1 , ... , x n ) G [ G ( a,b )] [ b ] ... C x n [ x n ] Arithmetic circuit over F q ◮ Function represented by arithmetic circuit over some field F q . ◮ Parties secret-share inputs. ◮ Gate-by-gate computation ( [ a ] , [ b ] → [ G ( a , b )] ) ◮ Linear gates: using linearity of secret sharing. ◮ Multiplication gates: Dedicated subprotocol.

Motivation Many secret-sharing-based MPC protocols need large finite fields.

Motivation Many secret-sharing-based MPC protocols need large finite fields. For example: ◮ Use of Shamir’s scheme (BGW88 and many others) ◮ Use of hyperinvertible matrices (Beerliova-Hirt 08) ◮ Use of message authentication codes (SPDZ)

Motivation How can we use those protocols for computing arithmetic circuits over small fields (e.g. q = 2)?.

Motivation How can we use those protocols for computing arithmetic circuits over small fields (e.g. q = 2)?. ◮ Standard solution: Consider each input ∈ F 2 as an element of a large extension field F 2 m , use protocol for F 2 m .

Motivation How can we use those protocols for computing arithmetic circuits over small fields (e.g. q = 2)?. ◮ Standard solution: Consider each input ∈ F 2 as an element of a large extension field F 2 m , use protocol for F 2 m . ◮ Problem: Seems wasteful.

Motivation How can we use those protocols for computing arithmetic circuits over small fields (e.g. q = 2)?. ◮ Standard solution: Consider each input ∈ F 2 as an element of a large extension field F 2 m , use protocol for F 2 m . ◮ Problem: Seems wasteful. ◮ Can we get more out of this?.

Goal We want to securely compute k > 1 parallel evaluations of the binary circuit... ...by using one execution of the arithmetic MPC protocol over F 2 m plus "cheaper" steps (in terms of communication complexity).

Goal We want to securely compute k > 1 parallel evaluations of the binary circuit... ...by using one execution of the arithmetic MPC protocol over F 2 m plus "cheaper" steps (in terms of communication complexity). More concretely, we focus on information-theoretically perfectly secure MPC. We consider Beerliova-Hirt 08 as “arithmetic” MPC protocol.

BH08 result / Our result BH08 There exists an information-theoretically perfectly secure n -party MPC protocol for an arithmetic circuit over F 2 m , 2 m > 2 n , which ◮ Is secure against ⌊ ( n − 1 ) / 3 ⌋ active corruptions (optimal). ◮ Has communication complexity of O ( n ) field elements per gate.

BH08 result / Our result BH08 There exists an information-theoretically perfectly secure n -party MPC protocol for an arithmetic circuit over F 2 m , 2 m > 2 n , which ◮ Is secure against ⌊ ( n − 1 ) / 3 ⌋ active corruptions (optimal). ◮ Has communication complexity of O ( n ) field elements per gate. Our main result (Theorem 1:) There exists a n -party MPC protocol for any boolean circuit which ◮ Is secure against ⌊ ( n − 1 ) / 3 ⌋ active corruptions (optimal). ◮ Computes Ω( log n ) evaluations in parallel. ◮ Has communication complexity of O ( n ) bits per gate per instance.

Results ◮ Using packed secret-sharing cannot achieve this, as it can not attain ⌊ ( n − 1 ) / 3 ⌋ corruption tolerance. ◮ In fact we can combine our techniques with packed secret sharing and obtain:

Results ◮ Using packed secret-sharing cannot achieve this, as it can not attain ⌊ ( n − 1 ) / 3 ⌋ corruption tolerance. ◮ In fact we can combine our techniques with packed secret sharing and obtain: Result 2: for every ǫ > 0, a n -party MPC protocol for any boolean circuit ◮ Secure against t < ( 1 − ǫ ) n / 3 active corruptions. ◮ Computes Ω( n log n ) evaluations in parallel. ◮ Amortized communication complexity of O ( 1 ) bits per gate per instance.

Goal x 11 , x 12 , ... , x 1 k Binary circuit x 21 , x 22 , ... , x 2 k y 1 , y 2 , ... , y k C ... y 1 = C ( x 11 , x 21 , ... , x n 1 ) y 2 = C ( x 12 , x 22 , ... , x n 2 ) x n 1 , x n 2 , ... , x nk ... y k = C ( x 1 k , x 2 k , ... , x nk ) Resource X 1 Arithmetic circuit X 2 over GF(2 m ) Y = C ' ( X 1 , ... , X n ) C' ... Computed by X n protocol π '

Obstacle ( F k 2 , +) , ( F 2 k , +) isomorphic as F q -vector spaces, but ( F k 2 , + , ∗ ) , ( F 2 k , + , · ) not isomorphic as F q -algebras for k > 1. (where ∗ is Schur product in F k 2 , and · is field product in F 2 k ).

Reverse multiplication-friendly embeddings Next best thing: reverse multiplication-friendly embeddings (RMFE) A ( k , m ) 2 -RMFE is a pair ( φ , ψ ) where ◮ φ : F k 2 → F 2 m is F 2 -linear. ◮ ψ : F 2 m → F k 2 is F 2 -linear. ◮ For all x , y ∈ F k 2 , x ∗ y = ψ ( φ ( x ) · φ ( y )) Remark: φ is invertible, but ψ � = φ − 1 .

History Multiplication-friendly embeddings ( F k 2 and F 2 m swapped): ◮ Introduced in MPC in CCCX09 ◮ "Bilinear multiplication algorithms" (Chud 86) Reverse multiplication-friendly embeddings ◮ Can be used to improve CCCX09 (unpublished) ◮ BMN17 ◮ This paper ◮ BMN18

Constructions [Remember a ( k , m ) 2 -RMFE embeds F k 2 into F 2 m ] ◮ Asymptotical: There exist families of ( k , O ( k )) 2 -RMFE. Algebraic geometric construction.

Constructions [Remember a ( k , m ) 2 -RMFE embeds F k 2 into F 2 m ] ◮ Asymptotical: There exist families of ( k , O ( k )) 2 -RMFE. Algebraic geometric construction. ◮ Non-asymptotical: For all r ≤ 33, there exists a ( 3 r , 10 r − 5 ) 2 -RMFE. Polynomial interpolation-based construction (e.g. we can embed F 99 2 into F 2 325 ).

How to use RMFEs x 1 =( x 11 , x 12 , ... , x 1 k ) ϕ( x 1 ) GF(2 m ) − 1 ( Y ) ϕ Y x 2 =( x 21 , x 22 , ... , x 2 k ) ϕ( x 2 ) C' ... (several modifications x n =( x n 1 , x n 2 , ... , x nk ) ϕ( x n ) w.r.t. C) . ◮ Invariant: all intermediate values are sharings of φ -encodings. ◮ We decode the output with the inverse φ − 1 (not with ψ ).

Main circuit modification AND GF(2) GF(2 m ) a A . . ϕ∘ψ ϕ∘ψ( A ⋅ B ) a ⋅ b b B

Main circuit modification explained GF(2 m ) ϕ( a ) . ϕ∘ψ ϕ(ψ(ϕ( a )⋅ϕ( b )))=ϕ( a ∗ b ) ϕ( b )

Obstacles 1. How do we (efficiently) process the ( φ ◦ ψ )-gates? 2. How do we guarantee that parties input φ -encodings? x 1 =( x 11 , x 12 , ... , x 1 k ) ϕ( x 1 ) GF(2 m ) − 1 ( Y ) ϕ Y x 2 =( x 21 , x 22 , ... , x 2 k ) ϕ( x 2 ) C' ... (several modifications x n =( x n 1 , x n 2 , ... , x nk ) ϕ( x n ) w.r.t. C) .

Random sharings in F 2 -linear subspaces These can be reduced to the following problem: "Given a F 2 -linear subspace V ⊆ ( F 2 m ) ℓ , generate [ R 1 ] , . . . , [ R ℓ ] for ( R 1 , . . . , R ℓ ) ∈ R V ."

Random sharings in F 2 -linear subspaces These can be reduced to the following problem: "Given a F 2 -linear subspace V ⊆ ( F 2 m ) ℓ , generate [ R 1 ] , . . . , [ R ℓ ] for ( R 1 , . . . , R ℓ ) ∈ R V ." Hyper-invertible matrices (BH08): ◮ Would work if V were a F 2 m -linear subspace ◮ But do not work directly for F 2 -linear subspaces.

Random sharings in F 2 -linear subspaces These can be reduced to the following problem: "Given a F 2 -linear subspace V ⊆ ( F 2 m ) ℓ , generate [ R 1 ] , . . . , [ R ℓ ] for ( R 1 , . . . , R ℓ ) ∈ R V ." Hyper-invertible matrices (BH08): ◮ Would work if V were a F 2 m -linear subspace ◮ But do not work directly for F 2 -linear subspaces. Solution: Apply HIM-based protocol to the tensor product F 2 m ⊗ V . ◮ F 2 m ⊗ V is a F 2 m -vector space. ◮ We can see its elements as vectors from V m .

Conclusions We present: ◮ A methodology to securely evaluating several instances in parallel of a circuit over a small field , by using a SSS-based MPC for a large field . ◮ An extension of the results from BH08 to small fields (in an amortized sense). ◮ Main technical handle: Reverse multiplication-friendly embeddings. Future work: ◮ Extending these results to other models (e.g. dishonest majority).